b"   U.S. ELECTION ASSISTANCE COMMISSION \n\n        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n\n\n                       FINAL REPORT:\n              U.S. ELECTION ASSISTANCE COMMISSION\n\n     EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF\n     THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                       FISCAL YEAR 2011\n\n\n\n\nNO. I-PA-EAC-02-11\nOCTOBER 2011\n\x0c                        U.S. ELECTION ASSISTANCE COMMISSION\n\n\n                                 OFFICE OF INSPECTOR GENERAL\n\n\n                                1201 New York Ave. NW - Suite 300 \n\n                                      Washington, DC 20005\n\n\n\n\n\n\nMEMORANDUM\n\n\nOctober 5, 2011\n\n\nTo:        U.S. Election Assistance Commission\n\nFrom: \t    Curtis W. Crider\n           Inspector General\n\nSubject:   Final Report \xe2\x80\x93U.S. Election Assistance Commission\xe2\x80\x99s Compliance with the\n           Requirements of the Federal Information Security Management Act (Assignment No.\n           I-PA-EAC-02-11)\n\nIn accordance with the Federal Information Security Management Act (FISMA), the Office of\nInspector General (OIG) engaged Leon Snead & Co. P.C., an independent certified public\naccounting firm, to conduct an audit of the U.S. Election Assistance Commission\xe2\x80\x99s (EAC)\ncompliance with the OMB Circular A-130 and FISMA requirements. The audit included\nassessing the EAC\xe2\x80\x99s effort to develop, document, and implement an agency-wide program to\nprovide information security for the information and information systems that support the\noperations and assets of the EAC.\n\nLeon Snead & Co. found that the EAC was in substantial compliance with FISMA requirements.\nEAC implemented actions to address prior year\xe2\x80\x99s findings regarding Privacy Act requirements\nand established sufficient policies and procedures relative to its IT security program.\n\nThe legislation, as amended, creating the Office of Inspector General (5 U.S.C. \xc2\xa7 App.3) requires\nsemiannual reporting to Congress on all reports issued, actions taken to implement\nrecommendations, and recommendations that have not been implemented. Therefore, this report\nwill be included in our next semiannual report to Congress.\n\nIf you have any questions regarding this report, please call me at (202) 566-3125.\n\x0cU.S. Election Assistance Commission\n       Compliance with the Requirements of\n\n\n the Federal Information Security Management Act\n\n\n\n                  Fiscal Year 2011\n\n\n\n\n\n\n                     Submitted By\n\n\n\n               Leon Snead & Company, P.C.\n\n\n  Certified Public Accountants & Management Consultants\n\x0cLEON SNEAD                                                                                      Certified Public Accountants\n&COMPAN~P.C.           ____________________________________________________        _______\n                                                                         & Management Consultants   ~~\n\n\n\n\n416 Hungerford Dlive, Suite 400\nRockville. Maryland 20850\n301\xc2\xb7738\xc2\xb78190\nfax: 301\xc2\xb7738\xc2\xb78210\nleonsnead.companypc@erols.com\n\n\n\n\n                                                                      September 23, 2011\n\n\n\n\n            Mr. Curtis W. Crider \n\n            Inspector General \n\n            U.S. Election Assistance Commission \n\n            1440 New York Ave, N.W., Suite 203 \n\n            Washington, DC 20005 \n\n\n            Dear Mr. Crider:\n\n            Enclosed is the final report on our audit of U.S. Election Assistance Commission's compliance\n            with the Federal Information Security Management Act for fiscal year 2011.\n\n            We appreciate the courtesies and cooperation provided by EAC personnel during the audit.\n\n\n\n\n                                                              I - ~~AC=J1A.,rJ/ljJ7 jJC\n                                                              ~nead & Company, P.C.\n\x0c                                                    TABLE OF CONTENTS\n\n\n\n\n\n\n                                                                                                                                            Page\n\n\nIntroduction......................................................................................................................................1\n\n\n\nObjective, Scope and Methodology.................................................................................................1\n\n\n\nSummary of Audit............................................................................................................................2\n\n\n\nAttachment 1 \xe2\x80\x93 Status of Prior Year Findings .................................................................................3\n\n\n\nAttachment 2 \xe2\x80\x93 Agency Response ...................................................................................................4\n\n\n\n\n\n\nLeon Snead & Company, P.C.                                               i\n\x0cIntroduction\n\nLeon Snead & Company, P.C. has completed an audit of EAC\xe2\x80\x99s Information Technology (IT)\nsecurity program for fiscal year 2011. Title III of the E-Government Act, entitled the Federal\nInformation Security Management Act (FISMA) requires each Federal agency to develop,\ndocument, and implement an agency-wide program to provide security for information and\ninformation systems that support the operations and assets of the agency, including those systems\nmanaged by another agency or contractor. FISMA, along with the Paperwork Reduction Act of\n1995 and the Information Technology Management Reform Act of 1996, emphasize a risk-based\npolicy for cost-effective security. In support of and reinforcing this legislation, the Office of\nManagement and Budget (OMB) through Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nexecutive agencies within the Federal government to:\n\n    \xe2\x80\xa2\t\t   Plan for security;\n    \xe2\x80\xa2\t\t   Ensure that appropriate officials are assigned security responsibility;\n    \xe2\x80\xa2\t\t   Periodically review the security controls in their information systems; and\n    \xe2\x80\xa2\t\t   Authorize system processing prior to operations and, periodically, thereafter.\n\nThe EAC is an independent, bipartisan agency created by the Help America Vote Act (HAVA)\nto assist in the effective administration of Federal elections. In October 2002, Congress passed\nHAVA to invest in election infrastructure and set forth a comprehensive program of funding,\nguidance, and ongoing research. To foster those programs and to promote and enhance voting\nfor United States Citizens, HAVA established the EAC.\n\nEAC\xe2\x80\x99S mission is to assist in the effective administration of Federal elections. The agency is\ncharged with developing guidance to meet HAVA requirements, adopting voluntary voting\nsystems guidelines, and serving as a national clearinghouse of information about election\nadministration. EAC also accredits testing laboratories and certifies voting systems and audits\nthe use of HAVA funds.\n\nObjective\n\nThe objective of our audit was to evaluate EAC\xe2\x80\x99s compliance with OMB Circular A-130 and\nFISMA requirements.\n\nScope and Methodology\n\nTo accomplish the objective, we reviewed EAC policies and procedures, and performed tests to\ndetermine whether EAC:\n\n    \xe2\x80\xa2\t\t policies and procedures were adequate to establish an agency-wide IT security program\n        in accordance with OMB requirements.\n    \xe2\x80\xa2\t\t personnel assessed the risk to operations and assets under their control, assigned a level\n        of risk to the systems, tested and evaluated security controls and techniques, implemented\n\n\n\nLeon Snead & Company, P.C.\t\t                       1\n\x0c        an up-to-date security plan for each major application and general support system, and\n        performed certification and accreditation of the agency\xe2\x80\x99s systems.\n    \xe2\x80\xa2\t\t developed, documented and tested comprehensive contingency plans for the agency\xe2\x80\x99s\n        information systems.\n    \xe2\x80\xa2\t\t provided security awareness training to all employees and contractors, and provided\n        sufficient specialized training to key IT security personnel.\n    \xe2\x80\xa2\t\t established a continuous monitoring program, including whether the agency monitored\n        scanning results and corrected vulnerabilities, as necessary.\n    \xe2\x80\xa2\t\t designed and implemented access controls effectively.\n    \xe2\x80\xa2\t\t met OMB requirements for securing sensitive personal identifying information and\n        Privacy Act requirements.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives. Other criteria used in the audit included the\nNational Institute of Standards and Technology (NIST) guidance, and OMB Memoranda. The\naudit was performed during the period April and September 2011.\n\nSummary of Audit\n\nOur audit found that the EAC was in substantial compliance with FISMA requirements.\nSpecifically, we noted that the EAC had established sufficient policies and procedures relating to\nits IT security program to address identified risks; implemented actions to address prior concerns\nrelating to meeting Privacy Act requirements; established a continuous monitoring program that\nsubstantially addressed all NIST requirements; provided annual security awareness training and\nspecialized training to its IT specialists; developed and tested a contingency plan; and had\nestablished required access controls sufficient to meet identified risks.\n\n\n\n\nLeon Snead & Company, P.C.\t\t                    2\n\x0c                                                                                               Attachment 1\n\n\n                                    Status of Prior Year Findings\n\n\n      Prior Year Condition                                     Current Status\n\n\n      Contingency planning for EAC was not in full             EAC officials took action to correct this\n      compliance with FISMA because the recently               problem.\n      completed plan had not yet undergone testing.\n      Develop and publish a \xe2\x80\x9croutine use\xe2\x80\x9d policy dealing       EAC officials took action to correct this\n      with breach of security relating to personnel            problem.\n      identifiable information data, including actions taken\n      for individuals affected by the breach.\n      Conduct privacy impact assessments for electronic        EAC analyzed its systems that contain\n      information systems and collections and, in general,     personnel    identifiable information    and\n      make them publicly available.                            published System of Record Notices in\n                                                               2011, and determined that none of the\n                                                               agency\xe2\x80\x99s systems required a privacy impact\n                                                               assessment to be issued. We concurred in this\n                                                               determination.\n\n\n\n\nLeon Snead & Company, P.C.                            3\n\x0c                                                                       Attachment 2\n\n\n\n\n                              u.s. Election Assistance Commission\n                              Office of the Executive Director\n                              1201 New York Ave. NW - Suite 300\n                              Washington , DC 2005\n\n\n\n\nMemorandum\n\n                                                                 September 21 , 2011\n\n\n\nTo:          Arnie Garza\n             Assistant Inspector General for Audits\n\n\nF~           Tom Wilkey\n                       \n\n             Executive Director\n\nSubject:     Draft Audit Report - U.S. Election Assistance Commission Audit of Compliance\n             with the requirement of the Federal Information Security Management Act\n             (FISMA) Fiscal year 2011 (Assignment No.I-PA-EAC-02-11)\n\n             After reviewing the attached audit report and summary of the audit results of the\n             FISMA Audit , management agrees with the audit result submitted by the auditors.\n\n             As the audit report indicates, management took the necessary actions to address\n             the findings that were found on the previous year audit report and we are now\n             substantially in compliance with the FISMA requirements .\n\n             We thank you and the auditors for courtesies and assistance that was extended\n             to our staff during the audit.\n\n             If you have any questions regarding our response , please do not hesitate to\n             contact me at (202) 566-3109\n\n\n\n\n             Copy to : Alice Miller, COO\n                        Mohammed Maeruf,     cia\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to OIG\xe2\x80\x99s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG\xe2\x80\x99s Mission         operations so they work better and cost less in the context of\n                      today's declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested by e-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1201 New York Ave. NW - Suite 300\n                      Washington, DC 20005\n                      To order by phone: Voice: (202) 566-3100\n                                          Fax: (202) 566-0957\n\n\nTo Report Fraud,      By Mail: \tU.S. Election Assistance Commission\nWaste and Abuse                 Office of Inspector General\nInvolving the U.S.              1201 New York Ave. NW - Suite 300\nElection Assistance             Washington, DC 20005\nCommission or Help\n                      E-mail:   eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c"